If possible, take a snapshot of your VM before starting this Lab.
Make sure that the VM is not connected to the Internet.
Exercise
Step 1
Start a new instance of IDAPro and click on ‘New’ in the startup window.

Step 2
Select the file that we ‘fixed’ in the previous lab and hit ‘Open’.

Step 3
Untick (Uncheck) the ‘Create imports segment’ option on the following window and hit ‘OK’ after that.

Step 4
Let the file load - it will take some time. It’s fully loaded once you are presented the ‘IDA-view - Graph mode’.

Step 5
Click on the ‘Import’ tab and see if you can now see the imports loaded in there. You should be able to see the imports now.
You analysed the same file (packed version) in Lab 3.0 - Task 3. Now that we have unpacked the malware and loaded the new ‘fixed’ version in IDA Pro, we are able to see the imports (API calls) and we can now analyse them.

Further Analysis
In this section, we look at how to analyse code in IDA Pro and make it easy to understand and read for yourself as well as your team. We take a deeper look into Sub-routines, Function calls and how to manage your analysis process as you move through the code.
Sub Routines
We take a ‘work your way backwards’ approach in this section of the lab.
File Operations
We take a look at all the functions that are being called by the malware that are required for ‘file operations’. These calls accomplish tasks suck as file-creation, file-copy etc.
Step 1
Go to the ‘Imports Section’ and search for ‘CreateFileW’.

Step 2
Double-click on the import and it should take you to the Call in the ‘data’ section of the code.
Right-click on the call and go to ‘Jump to xref…’ and you’ll see all the refs to this call.

Select the first one and hit ‘OK’.

Step 3
You’ll be taken to the actual call in the code once you hit ‘OK’ in the previous step.

Scroll up to start of subroutine

Step 4
Click on ‘View’ > ‘Open Subviews’ > ‘Function Calls’.
You should be able to see a few calls that are related to file operations. This tells us that most of the file operations are taking place in this section of the code.

Step 5
Right-click on ‘sub_40869A’ and select ‘Rename’ option in the menu.

Rename the function as ‘[Initials]_File_Ops’ and hit ‘OK’.


Confirm that the new name of the function is now what you just changed it to.

Confirm that the name has changed in the functions section as well.

Step 6
Repeat the process for: sub_401B47
Find the function:

Check the function calls:

Change the function name:

Confirm name change:

Step 7
Close the project in IDA Pro.
Make sure you ‘Pack Database’ and then hit OK.

Step 8
Confirm that the new IDA Database has been saved.

Step 9
Double-click on the IDA Database file and confirm that it loads the entire project in IDA Pro.
Confirm that your new function names are still there.

You have now completed the lab. In this lab, you learnt:
Looking at imports in IDA Pro
Locating functions that deal with specific operations
Finding collections of calls that perform similar tasks and renaming the functions to reflect that
Saving the analysis as a file (IDA DB)
Using IDA DB files to share/continue/resume analysis
Repeat the above process for all the Encryption Function Calls.
List all the API calls in the right order.
Provide the entire subroutine in graph format in the report.